How do cyber criminals operate?
Cyber crime activity is growing fast and evolving at pace, becoming both more aggressive and technically advanced.
The Office of National Statistics (ONS) estimated that in 2015 there were 2.46 million cyber incidents. With 2016 figures published next month, the ONS expect figures to have risen in 2016 and predict the number to carry on growing into 2017.
Cyber crime activity is now a major threat to all UK businesses and individuals, but little is known about how cyber criminals operate. Matt Carey, Head of London Operations Team and National Cyber Security Centre (NCSC) explains “very few people are aware of the extent of the online criminal ecosystem that supports and enables cyber attacks, and the business model behind it”.
On 10th April 2017, the NCSC published a report outlining how cyber criminal methods, how they organise themselves and how their activities are monetised.
The report explains that the internet has enabled Organised Criminal Groups (OCG) to not only conduct such activities, but also share techniques and services. OCG’s are usually made up of individuals with unique skillsets that form the following roles:
- A team leader - manages the team and ensures the group are ahead of local and international law enforcement.
- Coders - malware developers who will write and update new code, or plagiarise or modify publicly available malware.
- Network administrator - responsible for hijacking large networks.
- Intrusion specialist - ensures the malware presence is enduring and that the network can be exploited.
- Data miner - identifies the data of value and presents in a way that can be used to make money.
- Money specialist - identifies the best way to make money from each type of dataset - could be selling in bulk to trusted criminal contacts, or by using specialist online services.
How criminals get access to your network
The most common way for criminals to get access to machines or networks and steal data is through malicious links or attachments in phishing scams. Phishing scams are usually easy to identify:
- The sender’s email address doesn’t tally with the trusted organisation’s address.
- There’s a suspicious display name that doesn’t match the email address.
- The email contains spelling and grammatical errors.
- The entire text of the email is contained within an image rather than plain text.
- The content indicates urgent action is required.
- Check the website is legit by hovering your mouse over the link but not clicking - usually the link is different to the written text.
Smoothwall recommended that if the message looks remotely suspicious, it should not be opened, and similarly do not open any attachments you aren’t expecting.
If in doubt, always contact the company prior to taking action to confirm the email is legitimate (search for the contact details online - don’t use the contact details provided in the email!).
Other common ways include visiting genuine websites that have been compromised with malicious code (known as watering hole attack) or adverts that redirect you to a malicious server that will serve up advertisements to computers (known as malvertising).
The NCSC state that it is vital organisations and individuals have up-to-date antivirus software present on all machines, as it can prevent malware succeeding.
Turning data into cash
The most common ways for OCGs to ‘monetise’ the stolen data is by having dedicated money specialists to do it themselves, or by selling the stolen data on to other criminals for them to exploit, also known as ‘secondary fraud’.
There are hundreds of criminal websites to facilitate secondary fraud, including a site where data can be bought in bulk with digital currencies such as Bitcoin called an Automated Vending Cart.
For more information on investigating a cyber attack, click here to read our previous blog, and if you would like to speak to Smoothwall about advice on building a multi-layered security system, please contact one of our security specialists today.
Source: NCSC. The financial trojan business model.